Security threat and risk assessment is necessary for safety-related applications.
Requirements for security are detailed in the IEC 62443 series.
Security means protection against unacceptable intentional (cyber) attacks or unintentional changes of an industrial automation and control system (IACS).
Security concepts in IEC 62443 follow a similar life cycle concept as IEC 61 508, starting with a security threat and risk assessment and the assignment of target Security Levels. However, due to the nature of the threats caused by individuals, IEC 62443 emphasizes primarily on issues such as policies and procedures for a Security Management System (SMS) established by plant owners and suppliers within their organization. One major issue of the SMS is maintenance of the security system to counter degradation, for example via monitoring, periodic assessments, or software patches.
IEC 62443 then specifies technologies and methods to achieve a secure system by partitioning the architecture of an IACS into zones and conduits. The plant owner or integrator is provided with appropriate countermeasures and technologies to achieve the target Security Level and its seven foundational requirements (vector) for the zones and conduits.
IEC 62443 also addresses the requirements to secure system components.
IEC 62443 allows designers to choose where to implement the security countermeasures with respect to safety devices.
NOTE Additional profile specific requirements can also be specified in IEC 61 784-4.
Figure 1 1 shows an example of the zones and conduits partitioning of an IACS with functional safety islands.
Figure 1 1 – Zones and conduits concept for security according to IEC 62443 5.1 0 Boundary conditions and constraints
5.1 0.1 Electrical safety
Electrical safety is a precondition for a functional safety communication system. Therefore, all safety devices connected to it shall conform to the relevant IEC electrical safety standards (for example SELV/PELV as specified in IEC 61 01 0-2-201 ). The Safety Manual shall specify the constraints required of the devices connected in a functional safety communication system, whether safety devices or non-safety devices, including active network elements.
NOTE 1 Required additions to the installation guidelines (for example cables, cable installation, shields, grounding, potential balancing) are specified in IEC 61 91 8 and IEC 61 784-5.
NOTE 2 Requirements for power supplies (for example single fault prove, use of separate power supplies, SELV/PELV, country specific current limitations, etc.) are specified in IEC 61 91 8 and IEC 61 784-5.
NOTE 3 Requirements for the standard bus devices (for example assessment) are specific to the functional safety communication profiles.
5.1 0.2 Electromagnetic compatibility (EMC)
Safety devices shall comply with the increased test levels and durations, as well as corresponding performance criteria specified in IEC 61 326-3-1 or the generic standard IEC 61 000-6-7. IEC 61 326-3-2 may be used as an exception, if the intended application exactly matches the specific scope and pre-conditions of IEC 61 326-3-2.
NOTE Certain applications can require higher levels than those specified in IEC 61 326-3-1 , according to Safety Requirements Specification (SRS).
IEC
5.1 1 Installation guidelines
The requirements for installation of equipment using the communication technologies specified in this standard are specified in IEC 61 91 8 and the profile specific parts of IEC 61 784-5, as well as any relevant additional standards required by the individual profiles.
Non-compliant devices on the bus could seriously disrupt operation, and thus compromise availability (because of spurious trips, including nuisance trips), subsequently causing the safety feature to be disabled by the user.
Therefore, it is strongly recommended that all products connected to the fieldbus in a safety- related application (even the standard ones) provide an appropriate conformity assessment to the relevant fieldbus protocol (for example manufacturer declaration or third-party assessment).
NOTE Additional details can be provided in the technology-specific parts of the IEC 61 784-3 sub-series if relevant.
5.1 2 Safety manual
According to IEC 61 508-2, device suppliers shall provide a safety manual. A description of the minimum information required by the profile to be included in the safety manual is provided in the relevant profile specific parts.
5.1 3 Safety policy
Users of this standard shall take into account the following constraints to avoid misunderstanding, wrong expectations or legal actions regarding safety-related developments and applications.
NOTE 1 This includes for example use for training, seminars, workshops and consultancy.
The communication technologies specified in this standard shall only be implemented in devices designed in accordance with the requirements of IEC 61 508.
The use of communication technologies specified in this standard in a device does not ensure that all necessary technical, organizational and legal requirements related to safety-related applications of the device have been fulfilled in accordance with the requirements of IEC 61 508.
For a device based on this standard to be suitable for use in safety-related applications, appropriate functional safety management life-cycle processes according to the relevant safety standards and relevant legislation/regulations shall be observed. This shall be assessed in accordance with the independence and competence requirements of IEC 61 508- 1 .
In the context of hardware safety integrity, the highest safety integrity level that can be claimed for a safety function is limited by the hardware safety integrity constraints which shall be achieved by implementing Route 1H of IEC 61 508-2, based on hardware fault tolerance and safe failure fraction concepts (to be implemented at system or subsystem level).
The manufacturer of a device using communication technologies specified in this standard is responsible for the correct implementation of the standard, the correctness and completeness of the device documentation and information.
It is strongly recommended that implementers of a specific profile comply with the appropriate conformance tests and validations provided by the related technology-specific organization.
NOTE 2 These requirements and recommendations are included because incorrect implementations could lead to serious injury or loss of life.
6 Communication Profile Family 1 (FOUNDATION™ Fieldbus) – Profiles for functional safety
Communication Profile Family 1 (commonly known as FOUNDATION™ Fieldbus6) defines communication profiles based on IEC 61 1 58-2 Type 1 , IEC 61 1 58-3-1 , IEC 61 1 58-4-1 , IEC 61 1 58-5-5, IEC 61 1 58-5-9, IEC 61 1 58-6-5, and IEC 61 1 58-6-9.
The basic profiles CP 1 /1 , CP 1 /2, and CP 1 /3 are defined in IEC 61 784-1 . The CPF 1 functional safety communication profile FSCP 1 /1 (FF-SIS™6) is based on the CP 1 /1 basic profile in IEC 61 784-1 and the safety communication layer specifications defined in IEC 61 784-3-1 .
7 Communication Profile Family 2 (CIP™) and Family 1 6 (SERCOS®) – Profiles for functional safety
Communication Profile Family 2 (commonly known as CIP™7) defines communication profiles based on IEC 61 1 58-2 Type 2, IEC 61 1 58-3-2, IEC 61 1 58-4-2, IEC 61 1 58-5-2, and IEC 61 1 58-6-2.
Communication Profile Family 1 6 (commonly known as SERCOS®8) defines a communication profile CP 1 6/3 based on IEC 61 1 58-3-1 9, IEC 61 1 58-4-1 9, IEC 61 1 58-5-1 9, and IEC 61 1 58-6-1 9.
The basic profiles CP 2/1 , CP 2/2, CP 2/3 and CP 1 6/3 are defined in IEC 61 784-1 and IEC 61 784-2. The CPF 2 functional safety communication profile FSCP 2/1 (CIP Safety™7) is based on the CPF 2 basic profiles in IEC 61 784-1 and IEC 61 784-2, the CP 1 6/3 basic profile in IEC 61 784-2, and the safety communication layer specifications defined in IEC 61 784-3-2.
8 Communication Profile Family 3 (PROFIBUS™, PROFINET™) – Profiles for functional safety
Communication Profile Family 3 (commonly known as PROFIBUS™, PROFINET™9) defines communication profiles based on IEC 61 1 58-2 Type 3, IEC 61 1 58-3-3, IEC 61 1 58-4-3, IEC 61 1 58-5-3, IEC 61 1 58-5-1 0, IEC 61 1 58-6-3, and IEC 61 1 58-6-1 0.
_______________
6 FOUNDATION™ Fieldbus and FF-SIS™ are trade names of the non-profit organization Fieldbus Foundation. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names Foundation Fieldbus™ or FF-SIS™. Use of the trade names FOUNDATION™ Fieldbus or FF-SIS™ requires permission of Fieldbus Foundation and compliance with conditions for their use (such as testing and validation).
7 CIP™ (Common Industrial Protocol) and CIP Safety™ are trade names of the non-profit organization ODVA, Inc. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names CIP™ or CIP Safety™. Use of the trade names CIP™ or CIP Safety™ requires permission of ODVA and compliance with conditions for their use (such as testing and validation).
8 SERCOS® is a trade name of SERCOS International e.V. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trademark holder or any of its products. Compliance to this standard does not require use of the trade name SERCOS®. Use of the trade name SERCOS® requires permission of the trade name holder and compliance with conditions for its use (such as testing and validation).
9 PROFIBUS™, PROFINET™ and PROFIsafe™ are trade names of the non-profit organization PROFIBUS Nutzerorganisation e.V. (PNO). This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products.
Compliance to this standard does not require use of the registered trade names for PROFIBUS™, PROFINET™
or PROFIsafe™. Use of the registered trade names for PROFIBUS™, PROFINET™ or PROFIsafe™ requires permission of PNO and compliance with conditions for their use (such as testing and validation).
The basic profiles CP 3/1 and CP 3/2 are defined in IEC 61 784-1 ; CP 3/4, CP 3/5 and CP 3/6 are defined in IEC 61 784-2. The CPF 3 functional safety communication profile FSCP 3/1 (PROFIsafe™9) is based on the CPF 3 basic profiles in IEC 61 784-1 and IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-3.
9 Communication Profile Family 6 (INTERBUS®) – Profiles for functional safety Communication Profile Family 6 (commonly known as INTERBUS®1 0) defines communication profiles based on IEC 61 1 58-2 Type 8, IEC 61 1 58-3-8, IEC 61 1 58-4-8, IEC 61 1 58-5-8, and IEC 61 1 58-6-8.
The basic profiles CP 6/1 , CP 6/2, CP 6/3 are defined in IEC 61 784-1 . The CPF 6 functional safety communication profile FSCP 6/7 (INTERBUS Safety™1 0) is based on the CPF 6 basic profiles in IEC 61 784-1 and the safety communication layer specifications defined in IEC 61 784-3-6.
The profiles CP 6/1 , CP 6/2 and CP 6/3 contain optional services, which are specified by profile identifiers. The suitable profile identifiers for CP 6/7 are shown in Table 5.
Table 5 – Overview of profile identifier usable for FSCP 6/7
Profile Master Slave
Cyclic Cyclic and non
cyclic Cyclic Non cyclic Cyclic and non
cyclic
Profile 6/1 61 8 61 9 61 1 – 61 3
Profile 6/2 – 629 – – 623
Profile 6/3 – 639 – – 633
The safety communication layer specification given in IEC 61 784-3-6 fully applies.
1 0 Communication Profile Family 8 (CC-Link™) – Profiles for functional safety 1 0.1 Functional Safety Communication Profile 8/1
Communication Profile Family 8 (commonly known as CC-Link™1 1) defines communication profiles based on IEC 61 1 58-2 Type 1 8, IEC 61 1 58-3-1 8, IEC 61 1 58-4-1 8, IEC 61 1 58-5-1 8, and IEC 61 1 58-6-1 8.
The basic profiles CP 8/1 , CP 8/2, and CP 8/3 are defined in IEC 61 784-1 . The CPF 8 functional safety communication profile FSCP 8/1 (CC-Link Safety™1 1) is based on the CPF 8 basic profiles in IEC 61 784-1 and the safety communication layer specifications defined in IEC 61 784-3-8.
_______________
1 0 INTERBUS® and INTERBUS Safety™ are trade names of Phoenix Contact GmbH & Co. KG, control of trade name use is given to the non profit organization INTERBUS Club. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names INTERBUS® or INTERBUS Safety™. Use of the trade names INTERBUS® or INTERBUS Safety™ requires permission of the INTERBUS Club and compliance with conditions for their use (such as testing and validation).
1 1 CC-Link™ and CC-Link Safety™ are trade names of the non-profit organization CC-Link Partner Association.
This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names CC-Link™ or CC-Link Safety™. Use of the trade names CC-Link™ or CC-Link Safety™ requires permission of CC-Link Partner Association and compliance with conditions for their use (such as testing and validation).
1 0.2 Functional Safety Communication Profile 8/2
Communication Profile Family 8 also defines communication profiles based on IEC 61 1 58-5-23 and IEC 61 1 58-6-23.
The basic profiles CP 8/4 and CP 8/5 (commonly known as CC-Link IE™1 2) are defined in IEC 61 784-2. The CPF 8 functional safety communication profile FSCP 8/2 (CC-Link IE™
Safety communication function) is based on the CPF 8 basic profiles in IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-8.
1 1 Communication Profile Family 1 2 (EtherCAT™) – Profiles for functional safety
Communication Profile Family 1 2 (commonly known as EtherCAT™1 3) defines communication profiles based on IEC 61 1 58-2 Type 1 2, IEC 61 1 58-3-1 2, IEC 61 1 58-4-1 2, IEC 61 1 58-5-1 2 and IEC 61 1 58-6-1 2.
The basic profiles CP 1 2/1 and CP 1 2/2 are defined in IEC 61 784-2. The CPF 1 2 functional safety communication profile FSCP 1 2/1 (Safety-over-EtherCAT™1 3) is based on the CPF 1 2 basic profiles in IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-1 2.
_______________
1 2 CC-Link IE™ is a trade name of the non-profit organization CC-Link Partner Association. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade name CC-Link IE™. Use of the trade name CC-Link IE™ requires permission of CC-Link Partner Association and compliance with conditions for its use (such as testing and validation).
1 3 EtherCAT™ and Safety-over-EtherCAT™ are trade names of Beckhoff, Verl. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names EtherCAT™ or Safety-over-EtherCAT™ Use of the trade names EtherCAT™ or Safety-over-EtherCAT™
requires permission of Beckhoff, Verl and compliance with conditions for their use (such as testing and validation).
1 2 Communication Profile Family 1 3 (Ethernet POWERLINK™) – Profiles for functional safety
Communication Profile Family 1 3 (commonly known as Ethernet POWERLINK™1 4) defines communication profiles based on IEC 61 1 58-3-1 3, IEC 61 1 58-4-1 3, IEC 61 1 58-5-1 3, and IEC 61 1 58-6-1 3.
The basic profile CP 1 3/1 is defined in IEC 61 784-2. The CPF 1 3 functional safety communication profile FSCP 1 3/1 (openSAFETY™1 4) is based on the CPF 1 3 basic profiles in IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-1 3.
1 3 Communication Profile Family 1 4 (EPA®) – Profiles for functional safety Communication Profile Family 1 4 (commonly known as EPA®1 5) defines communication profiles based on IEC 61 1 58-3-1 4, IEC 61 1 58-4-1 4, IEC 61 1 58-5-1 4, and IEC 61 1 58-6-1 4.
The basic profiles CP 1 4/1 and CP 1 4/2 are defined in IEC 61 784-2. The CPF 1 4 functional safety communication profile FSCP 1 4/1 (EPASafety®1 5) is based on the CPF 1 4 basic profiles in IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-1 4.
1 4 Communication Profile Family 1 7 (RAPIEnet™) – Profiles for functional safety
Communication Profile Family 1 7 (commonly known as RAPIEnet™1 6) defines a communication profile based on IEC 61 1 58-3-21 , IEC 61 1 58-4-21 , IEC 61 1 58-5-21 , and IEC 61 1 58-6-21 .
The basic profile CP 1 7/1 is defined in IEC 61 784-2. The CPF 1 7 functional safety communication profile FSCP 1 7/1 (RAPIEnet Safety™1 6) is based on the CPF 1 7 basic profile in IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-1 7.
_______________
1 4 Ethernet POWERLINK™ and openSAFETY™ are trade names of the non-profit organization Ethernet POWERLINK™ Standardization Group (EPSG). This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names Ethernet POWERLINK™ or openSAFETY™. Use of the trade names Ethernet POWERLINK™ or openSAFETY™ requires permission of Ethernet POWERLINK™ Standardization Group (EPSG) and compliance with conditions for their use (such as testing and validation).
1 5 EPA® and EPASafety® are trade names of Zhejiang SUPCON® Sci&Tech Group Co. Ltd. China. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this standard does not require use of the trade names EPA® or EPASafety®. Use of the trade names EPA® or EPASafety® requires permission of SUPCON® and compliance with conditions for their use (such as testing and validation).
1 6 RAPIEnet™ and RAPIEnet Safety™ are trade names of the non-profit organization RAPIEnet Association. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance with this standard does not require use of the registered trade names for RAPIEnet™ or RAPIEnet Safety™. Use of the registered trade names for RAPIEnet™™ or RAPIEnet Safety™ requires permission of RAPIEnet Association and compliance with conditions for their use (such as testing and validation).
1 5 Communication Profile Family 1 8 (SafetyNET p™ Fieldbus) – Profiles for functional safety
Communication Profile Family 1 8 (commonly known as SafetyNET p™1 7) defines communication profiles based on IEC 61 1 58-3-22, IEC 61 1 58-4-22, IEC 61 1 58-5-22 and IEC 61 1 58-6-22.
The basic profiles CP 1 8/1 and CP 1 8/2 are defined in IEC 61 784-2. The CPF 1 8 functional safety communication profile FSCP 1 8/1 is based on the CPF 1 8 basic profiles in IEC 61 784-2 and the safety communication layer specifications defined in IEC 61 784-3-1 8.
_______________
1 7 SafetyNET p is a trade name of the Pilz GmbH & Co. KG. This information is given for the convenience of users of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this profile does not require use of the trade name SafetyNET p. Use of the trade name SafetyNET p requires permission of the trade name holder and compliance with conditions for its use (such as testing and validation).
Annex A (informative)
Example functional safety communication models